Vtiger 'return_url' Parameter Multiple Cross Site Scripting Vulnerabilities Network Vulnerability

Summary

This host is installed with Vtiger CRM and is prone to multiple xss vulnerabilities

Impact

Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in the context of an affected site Impact Level: Application

Solution

Upgrade to the latest version of Vtiger 6.0 or later, For updates refer to https://www.vtiger.com

Insight

Flaws are due to improper sanitation of user supplied input passed via 'return_url' parameter to savetemplate.php and unspecified vectors to deletetask.php, edittask.php, savetask.php, or saveworkflow.php.

Affected

Vtiger CRM version 5.4.0

Detection

Send a crafted HTTP GET request and check whether it responds with error message.

References

http://packetstormsecurity.com/files/124402
http://seclists.org/bugtraq/2013/Dec/51
http://www.osvdb.com/100897
http://xforce.iss.net/xforce/xfdb/89662

Updated on 2015-03-25

Severity

Classification

CVE CVE-2013-7326
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

An Image Gallery Directory Traversal Vulnerability
AdaptCMS Lite Cross Site Scripting and Remote File Include Vulnerabilities
Apache Archiva Cross Site Request Forgery Vulnerability
7Media Web Solutions EduTrac Directory Traversal Vulnerability
aeNovo Database Content Disclosure Vulnerability

Take action and discover your vulnerabilities